Documentation
¶
Overview ¶
Package exploit verifies known Swagger-UI client-side vulnerabilities (configUrl/url DOM XSS, spec-driven HTML injection) using a headless browser for high-accuracy confirmation. This module is OPT-IN and gated by the CLI: it only runs against targets the operator explicitly authorizes.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Engine ¶
type Engine struct {
// contains filtered or unexported fields
}
Engine confirms client-side vulns with a shared headless browser + PoC server.
func (*Engine) Close ¶
func (e *Engine) Close()
Close shuts down the browser allocator and PoC server.
func (*Engine) PayloadURL ¶
PayloadURL returns the built-in PoC spec URL (used when no custom payload set).
func (*Engine) Test ¶
func (e *Engine) Test(ctx context.Context, targetURL, param, payloadURL, cve, marker string, screenshot bool) Finding
Test loads targetURL with payloadURL injected via param, and confirms exploitation in a headless browser. Confirmation signals, in order of strength:
- a JavaScript dialog fired (alert/confirm/prompt) -> script executed -> dom-xss
- the built-in PoC markers (window flag / title / element) -> dom-xss / html-injection
- a caller-supplied marker string found in the DOM or console
CORS-blocked spec fetches are reported distinctly so they aren't false negatives.
type Finding ¶
type Finding struct {
TargetURL string `json:"target_url"`
TestedURL string `json:"tested_url"`
Param string `json:"param"`
PayloadURL string `json:"payload_url"`
Vulnerable bool `json:"vulnerable"`
Type string `json:"type,omitempty"` // "dom-xss" | "html-injection"
Signal string `json:"signal,omitempty"` // how it was confirmed
Evidence string `json:"evidence,omitempty"`
CVE string `json:"cve,omitempty"`
UILoaded bool `json:"ui_loaded"`
CORSBlocked bool `json:"cors_blocked"`
Console []string `json:"console,omitempty"`
}
Finding describes a confirmed (or attempted) exploitation result.